In the months leading up to Jamal Khashoggi's murder, the journalist may have been under surveillance through the mobile phones of his relatives and close associates. According to forensic analysis, the devices of several people close to Khashoggi, including the cellphone of his fiancée, were targeted with a type of attack for which there are few protections: zero-click malware.
Even though Khashoggi warned his colleagues to be vigilant about potential state-backed monitoring, their devices were still compromised by Pegasus zero-click spyware, which was developed and sold by NSO Group, an Israeli technology company.
As part of the Pegasus Project, a collaborative investigation by media organizations and human rights groups in 10 countries, Amnesty International's Security Lab conducted a forensic analysis of infected phones. Amnesty's cybersecurity experts discovered that, in addition to Khashoggi's network, as many as 50,000 other devices worldwide have been compromised by Pegasus.
NSO Group denies any connection to the Khashoggi breach and claims that it sells its surveillance software only to official intelligence and law enforcement groups that are supposed to use the spyware to combat terrorism. Nevertheless, Amnesty's Security Lab carefully detailed and published its methodology, which purports that Pegasus was the cyber-espionage tool of choice that several repressive governments, including Hungary, Saudi Arabia, and the United Arab Emirates, used to spy on journalists, activists, rival politicians, and others.
Pegasus isn't the only zero-click attack that security experts have discovered or demonstrated in order to warn the public about the risk, and its attack methodologies could spread beyond state-sponsored espionage.
Here's what you need to know about zero-click attacks and how to protect your company.
What are zero-click attacks and how do they work?
A zero-click attack compromises a device without requiring any interaction from the end user. Most cyberattacks, in contrast, need end users to do something in order to penetrate a device. For instance, an attacker will use social engineering techniques to trick people into downloading a malware-infested attachment or clicking on a link to a compromised website.
But a zero-click attack removes the human from the equation and exploits software or hardware vulnerabilities to compromise the device simply by sending malware to the device. Users don't need to click on or open anything. Merely receiving the infected message, email, or other malware-infested payload is all it takes to compromise the device.
Zero-click attacks can prey on a number of vulnerabilities, with recent attacks exploiting zero-day vulnerabilities in messaging applications. Pegasus exploits a gap in the data-verification process of Android and iPhone messaging apps. Attackers sends innocuous-looking text messages with embedded spyware that slip by the data checks. Once the messages hit users' phones, the malicious payload infects the devices.
From there, attackers can do pretty much anything they want with the device. "Turn your target's smartphone into an intelligence goldmine," boasts a sales brochure for Pegasus that was emailed to several US law enforcement agencies. The brochure was sent out by NSO Group's North American branch, WestBridge Technologies, and obtained by Vice through a public records request.
The brochure goes on to explain what Pegasus is and how it works: "Pegasus is an end-to-end cyber intelligence software which remotely and covertly extracts all data from any smartphone. Installation is performed remotely (over the air) with either minimal or no engagement from the target, requires no third-party involvement from cell phone carriers, and leaves no traces whatsoever on the device."
The Pegasus toolkit can then access everything on the phone, including contact lists, call history, emails, and calendar entries. It can also execute espionage-related tasks such as turning on the microphone to eavesdrop on a room, take camera snapshots, track targets via GPS, and even intercept calls.
How big is the risk from zero-click attacks?
"I believe that this type of malware/attack represents a very big opportunity for hackers and will continue to grow,” said Kate Scarcella, chief cybersecurity architect for CyberRes, Micro Focus' cybersecurity business. "We have seen that once an example of malware is out there, it not only replicates, but soon we also see 24/7 support for the malware. I think it is only a matter of time before we see the same type of support for zero-click malware."
State-sponsored malware spreading beyond its intended target isn't just theory, as the Stuxnet worm proved. Jointly developed by US and Israeli intelligence organizations, Stuxnet was designed to destroy centrifuges that were part of Iran's nuclear development efforts. Stuxnet included features intended to limit its spread beyond Iran's nuclear program, but the worm traveled far beyond its target, infecting computers in several other countries, including China, Germany, Kazakhstan, and Indonesia.
The fact that Pegasus has yet to spread to less sophisticated hacker groups is more about luck than skillful mitigation. In 2018, a disgruntled former NSO Group employee copied Pegasus software and attempted to sell it on the dark web. But this attempt was thwarted when the prospective buyer contacted NSO Group, which then reported the former programmer to the Israeli internal security service, Shin Bet. The employee was arrested before he could sell any pirated copies of Pegasus.
Could your organization be targeted?
While the zero-click risk for most organizations today is small, it is certainly not zero. China, Russia, and Iran all have advanced cyber-espionage capabilities, and each of them has targeted US government agencies, private businesses, and even critical infrastructure.
The United States and many of its allies, including Israel, the United Kingdom, and Estonia, also have advanced cyber-espionage and cyberwarfare capabilities, meaning that zero-click tools are very likely already in the hands of any number of official or state-backed groups.
Many businesses may be tempted to believe that they are not large or important enough to be targeted by a zero-click attack. In the age of cyberwar, ransomware, and advanced persistent threats, this outdated "security through obscurity" mindset is not a plan, but a coping mechanism.
In fact, as Internet of Things (IoT) devices increasingly spread throughout a range of industries, businesses must defend themselves against an array of new and accelerating risks.
According to CyberRes' Scarcella, IoT and all the devices that are connecting to businesses have expanded the threat surface in a way that was not conceivable a decade or two ago. As an example, she pointed to agribusinesses, where IoT collars are placed on dairy cows to improve milk production. "We may think this is silly, protecting cows,” she said. "But we had a recent cyberattack that shut down the H.P. Hood dairy in the Northeast. I couldn’t even find half and half!"
7 steps to protect your company
While the Hood attack was not a zero-click one, it illustrates just how broad the attack surface for hackers has become in the IoT era, as does the Colonial Pipeline ransomware attack, which prompted the Biden administration to enact emergency measures.
In order to protect against zero-click attacks, follow the seven steps below to help your organization limit its attack surface and mitigate the risks of zero-click and other zero-day threats.
- Make sure all of your systems and software are patched and up to date.
- Embrace automation for manual, repetitive security tasks, including vulnerability assessments and patching.
- Vet the developers of all of your software, especially obscure applications. For example, if one of your departments wants to deploy specialized software from a niche developer, don't take shortcuts on due diligence.
- Enforce multifactor authentication to access corporate resources.
- Install security agents on end devices, which "can send the telemetry data of the device so that we can understand when the device is doing something outside of normal behavior," CyberRes' Scarcella advised.
- Deploy security tools that incorporate AI and ML to improve your chances of spotting and thwarting zero-click and zero-day attacks. AI an ML tools can detect abnormal behaviors from a device, such as the exfiltration of large amounts of data, that are signs of an attack.
- Don’t be afraid to sue. Apple and Facebook have both sued NSO Group over Pegasus, moves that helped trigger the Biden administration's blacklisting of NSO Group.
Keep learning
Get up to speed on unstructured data security with TechBeacon's Guide. Plus: Get the Forrester Wave for Unstructured Data Security Flatforms, Q2 2021.
Join this discussion about how to break the Ground Hog Day repetition with better data management capabilities.
Learn how to accelerate your analytics securely into the cloud in this Webinar.
Find out more about cloud security and privacy, and selecting the right encryption and key management in TechBeacon's Guide.
Learn to appreciate the art of data protection and go behind the privacy shield in this Webinar.
Dive into the new laws with TechBeacon's guide to GDPR and CCPA.
